FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bmeta
Staff
Staff

Description
This article describes how to configure LDAP over SSL.
LDAP traffic is secured by SSL.

Solution
In this scenario, a Microsoft Windows Active Directory (AD) server is used as Certificate Authority (CA).
Certificate services have been added as a role and the CA certificate is available for export already.

1) Microsoft Windows Certificate Authority server:

On AD server, execute the MMC (Microsoft Management Console).
Go to File and select 'Add/Remove Snap-in', select 'Certificates' and then select 'Add':



 
 
Select 'Computer account':
 
 
Select 'Local computer' and select 'Finish':
 
 
 
 
'Certificates' appears on the left hand side.
Expand the tree and go to Personal -> Certificates.
Select the certificate, go to All Tasks and select 'Export':
 
 
 
 
Certificate Export Wizard appears, select 'next':
 
 

 
 
Do not Export the Private Key:
 
 
 
 
DER selected (file format):
 
 

 
 
Specify the name of the file and select 'next':
 
 
 
 
Complete the Certificate Export Wizard and select 'Finish':
 
 

 
 
There is a success message after finishing this wizard.
 
2) FortiGate.
 
Import the CA Certificate (which has been exported in the steps earlier) on the FortiGate.
Go to System -> Certificates > select 'Import CA Certificate' and upload the file:
 
 
 
 
Create a new 'LDAPS' server from GUI and select the imported certificate:
 
 
 
Note:
 -If no certificate is selected, FortiGate will accept anything from the LDAPS server.
- If a certificate is selected, FortiGate will only accept certificates signed by that CA certificate.
 
Debug:
Verify the communication between FortiGate and AD server using packet capture and sniffer.
After 3-way handshake, can see transaction between the client and server.
'Hello Exchange' -> Client Hello -> Server Hello -> Server Hello Done.
 
 

 
 
The certificate send by the LDAPS server is seen in the packet labeled as 'Certificate, Client Key Exchange, …'.
Unlike regular LDAP over tcp/389 it is not possible to see LDAP queries and replies.
For troubleshooting purposes non-secure LDAP can be helpful though.
# diagnose sniffer packet any "host 192.168.252.133 and port 636"
interfaces=[any]
filters=[host 192.168.252.133 and port 636]
3.653907 192.168.252.187.11640 -> 192.168.252.133.636: syn 2104591803
3.655022 192.168.252.133.636 -> 192.168.252.187.11640: syn 3985690082 ack 2104591804
3.655066 192.168.252.187.11640 -> 192.168.252.133.636: ack 3985690083
3.655524 192.168.252.187.11640 -> 192.168.252.133.636: psh 2104591804 ack 3985690083
3.656473 192.168.252.133.636 -> 192.168.252.187.11640: 3985690083 ack 2104592128

 

Contributors